Skip to main content

June 2015 High and Emerging Risk List

June 30, 2015
(Data as of December 31, 2014)

PDF of June 2015 Risk List

Risk List Process

We begin development of the Risk List by identifying areas of risk potentially faced by District financial institutions. Then we assess each risk for level of concern, level of exposure, and trend – see Table 1. Table 2 lists all risks considered and shows the level of concern and level of exposure for the current period and two prior periods. The report includes trend data only for the current period. While there is a slight bias toward issues affecting SMBs, the process assesses risk exposure for all Ninth District banks and holding companies.

In the sections that follow we discuss risks rated high or elevated, regardless of exposure, and any risk rated moderate that has a significant exposure level. These sections appear in order of risk severity. We also included brief discussions of risks that, although currently below the threshold for a complete write-up, have the potential to emerge as significant concerns in the near term or for which additional information is needed to assess the actual level of risk. Finally, we do not comment on risk dimensions that are not currently significant areas of concern.


Risk List Table 1


Risk List Table 2


Summary of Key Risks

Cybersecurity Risk Red arrow

Cybersecurity is the universe of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. Risk arises when any of these elements are ineffective. Suspicious activity reports (SARs) filed by District SMBs regularly reveal instances of customer identity theft and account takeover. In addition, an SMB recently reported finding a fraudulent copy of the bank’s website online. Losses associated with account takeover can be significant, since business accounts are the primary targets and the weapon of choice is large wire transfers. Other activities increasing information security risks include expanded technology platforms for delivering services and new data storage technologies.

Key Action Steps for Banks and Holding Companies

  • Take advantage of educational opportunities related to steps institutions can take to mitigate and control cybersecurity risk, including Federal Reserve outreach materials and interagency guidance such as the FFIEC’s “Cybersecurity Assessment General Observations” and “Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement” released in November 2014.
  • Work with IT examiners and other IT professionals to identify information security gaps that institutions should be addressing in their organization and with their vendors, including:
    • Detective controls: for example, for routinely scanning IT networks for vulnerabilities and anomalous activity.
    • Proactive testing of systems for their potential exposure to cyber-attacks.
    • Controls to help mitigate ATM skimming risk.
  • Ensure the complaints function has the capacity and expertise to handle breach-related complaints.
  • Expect heightened regulatory scrutiny of their cybersecurity measures as part of their safety and soundness and regulatory compliance examinations.

Strategic Risk Yellow arrow

Strategic Risk is the risk that a financial institution will incur losses by pursuing new or high-risk activities or will change business strategies in response to actual or perceived threats to the entity’s profitability. Banks of all sizes have had to reassess their options for improving profitability and remaining independent, given the low interest rates, and increasing costs. In some cases, District banks have responded by increasing out-of-area participations, taken on higher-yielding investments, or increased their reliance on vendors to cut costs. Engaging in new activities without first establishing an appropriate control framework could result in financial and reputational damage.  

Key Action Steps for Banks and Holding Companies

  • Have effective strategic planning processes that incorporate strategic initiatives to ensure management and board oversight, adequately address due diligence, and identify current and future human resource needs.
  • Proactively consult with Reserve Bank relationship, applications, and consumer affairs staff as appropriate with regard to significant planned changes in business strategy or operations, applicable regulatory requirements, and controls.

Agricultural Credit Risk Yellow arrow

Agriculture credit risk is comprised of the direct and indirect credit risks related to agriculture producers and their communities. The majority of District bank loan portfolios continue to be highly exposed to agriculture, and loan growth is returning. Prices for key crops (corn, soybean, and wheat) have declined to 2010 levels, which is straining borrower cash flow. Additionally land prices at historically high levels have the potential for material decline over the next several years.

Key Action Steps for Banks and Holding Companies

  • Carefully monitor cash flow projections and take proactive steps with borrowers that are likely to experience cash flow difficulties.
  • Consider their agriculture concentration in the capital planning process to ensure its adequacy against loan portfolio risk.

Interest Rate Risk Yellow arrow

Interest rate risk (IRR) is the risk that an investment's value will change due to a change in the absolute level of interest rates. Net interest margin compression from the prolonged period of low interest rates have led some banks to invest in longer-term assets in order to increase yield, but has led to increased exposure in a rising rate environment. Bank regulators are concerned about the significant inflow of deposits over recent years, especially nonmaturity deposits, which have made it more difficult to develop robust IRR modeling assumptions.

Key Action Steps for Banks and Holding Companies

  • Carefully consider plausible strategies for adjusting balance sheets as rates begin to rise; a gradual increase, for instance, may be more appropriate than a +100 or +200 basis point shock. 
  • Evaluate whether:
    • Models address both on-balance-sheet and off-balance-sheet risk.
    • Management and the board understand key assumptions and weaknesses of models.
    • Assumptions consider the impact of large deposits and surge deposits and their related betas, decay rates, and changes in deposit mix.
    • Scenario analyses and stress tests are appropriate and identify exposure under a variety of rate environments and stress scenarios.

Vendor Risk Yellow arrow

Vendor management risk is the risk of financial loss or reputational damage resulting from actions of a vendor on behalf of or in providing services to a financial institution. Some banks have been expanding the activities they outsource to offset continued earnings pressure and increase efficiency and are also renegotiating vendor contracts or looking for less expensive vendors to reduce expenses. A common concern with vendor relationships is management’s overreliance on the vendor and lack of knowledge about the outsourced activity.

Key Action Steps for Banks and Holding Companies

  • Understand the requirements of the Federal Reserve’s SR 13-19/CA 13-21 (Guidance on Managing Outsourcing Risk), which states that banking organizations should:
    • Establish board-approved vendor risk management policies and programs.
    • Prepare a comprehensive list of service providers and critical vendors.
    • Perform an assessment of third-party risks, and more in-depth assessments of critical vendors.
    • Establish due diligence standards for new relationships.
  • Apply additional scrutiny to new products delivered through vendors, especially those that have access to customer information or that communicate directly with customers.

Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets Control Risk Yellow arrow

Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets Control Risk (BSA, AML, OFAC) is the risk of legal and compliance costs and reputational damage associated with failure to comply with BSA/AML and OFAC obligations. In the current operating environment, BSA/AML and OFAC risks have increased for banks, especially those engaging in payday lending, third-party payment processors, and those providing financial services to marijuana-related businesses. The conflict between state laws permitting certain types of marijuana use and distribution in 23 states (including Michigan, Minnesota, and Montana), and the federal Controlled Substance Act of 1970 increases BSA/AML risk in states where medical and/or recreational marijuana is legalized whether or not banks are actively seeking to do business with marijuana-related businesses.

Key Action Steps for Banks and Holding Companies

Payment Processing and Payday Lending

  • Banks providing these services should have appropriate customer due diligence, enhanced due diligence, and suspicious activity identification and reporting processes.

Marijuana-related Businesses

  • Banks, particularly those in or bordering states that have legalized marijuana for medical and/or recreational use, should ensure that they are familiar with the FinCEN guidance, have identified any covered customers, and have filed SARs as required.
  • All SMBs should carefully assess BSA/AML risk posed by legalized marijuana, especially those located in states where medical and/or recreational marijuana is legalized.
  • Banks with customers engaged in marijuana-related businesses should ensure they have developed an effective compliance program.


  • OFAC compliance programs should:
    • Designate an OFAC officer.
    • Ensure continuity of the OFAC compliance program when there are personnel changes.
    • Maintain up-to-date screening tools.
    • Include effective remediation programs when OFAC weaknesses are identified.

Consumer Compliance Risk Yellow arrow

Consumer compliance risk, in general, is the risk of legal or regulatory sanctions, financial loss, consumer harm, or damage to reputation and franchise value caused by failure to comply with or adhere to (1) Consumer protection laws, regulations, or standards, (2) the institution’s own policies, procedures, code of conduct, and ethical standards, or (3) principles of integrity and fair dealing applicable to the institution’s business activities.  Consumer compliance risk is concentrated in new regulatory requirements and standards, particularly those applicable to mortgage lending.  Ninth District financial institutions have devoted significant resources to implement changes to comply with new mortgage regulations and other regulatory changes during the past few years. Banks need to continue addressing new consumer compliance expectations given the significant changes to mortgage loan disclosures that will become effective in 2015 as well as the proposed changes to Home Mortgage Disclosure Act reporting requirements.

Key Action Steps for Banks and Holding Companies

  • Banks can expect Consumer Affairs to:
    • Monitor compliance risk issues and share this information and related guidance with District institutions through outreach efforts.
    • Focus on high-risk areas identified above, as well as vendor management, cybersecurity, change management, complaints, and higher-risk products.

Below-Threshold But Potentially Significant Risks

In addition to the keys risks already discussed, there are other potentially significant risks, which Banks and Holding Companies should monitor, including:

  • Investment securities risk is the risk of credit losses in the investment securities portfolio. Most credit exposure in Ninth District bank investment portfolios is to municipal bond issuers.  However, the prevalence of Bank-owned life insurance also continues to grow. Several banks have concentrations exceeding 25% of tier 1 capital, which constitutes a concentration warranting enhanced oversight as noted in SR 04-19.
  • Energy sector risk is comprised of the direct and indirect risks related to Energy producers and their communities. District energy sector risk is concentrated in the Bakken Formation in western North Dakota and eastern Montana, where the boom has brought with it economic benefits and challenges. The fall in oil prices could have significant implications for the repayment capacity of borrowers with energy exposure.